The battle for the future of the Open Web is taking place as a new document model merges into a platform for highly graphical, interactive and information rich applications. Open source communities vie with dominant vendors Adobe, Microsoft, Apple, Cisco, Nokia and Google to stake out their claims as open source innovations collide with standards consortia and proprietary alternatives.

Sunday, December 25, 2016

This is part of a Motherboard mini-series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

When cops have a phone to break into, they just might pull a small, laptop-sized device out of a rugged briefcase. After plugging the phone in with a cable, and a few taps of a touch-screen, the cops have now bypassed the phone’s passcode. Almost like magic, they now have access to call logs, text messages, and in some cases even deleted data.

State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones, according to documents obtained by Motherboard. Over 2,000 pages of invoices, purchase orders, communications, and other documents lay out in unprecedented detail how one company in particular has cornered the trade in mobile phone forensics equipment across the United States.

Cellebrite, an Israel-based firm, sells tools that can pull data from most mobile phones on the market, such as contact lists, emails, and wiped messages. Cellebrite's products can also circumvent the passcode locks or other security protections on many current mobile phones. The gear is typically used to gather evidence from a criminal suspect's device after it has been seized, and although not many public examples of abuse are available, Cellebrite’s tools have been used by non-US authorities to prosecute dissidents.

Previous reports have focused on federal agencies' acquisition of Cellebrite tools. But as smartphones have proliferated and increasingly become the digital center of our lives, the demand and supply of mobile forensics tools has trickled down to more local bodies.

In their decision, the justices wrote that storing such data, which includes text message senders and recipients and call histories, allows for "very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained."

"Such national legislation exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society," the Luxembourg-based court said.

EU member states seeking to fight a "serious crime" are allowed to retain data in a targeted manner but must be subject to prior review by a court or independent body, the EU's top court said. Exceptions can be made in urgent cases.

The decision came amidst growing calls from EU governments for security agencies to be given greater powers with the goal of preventing or investigating attacks. Privacy advocates, on the other hand, said mass data retention is ineffective in combating such crimes.

In Sweden, the law requires telecommunications companies to retain all their customers' traffic and location data, without exception, the ECJ said.

British law allows authorities to ask firms to keep all communication data for a maximum 12-month period.

In the UK, politicians filed a legal challenge against a surveillance law which passed in 2014, part of which was suspended by a British court. British lawmakers then passed the Investigatory Powers Act - the so-called "snooper's charter."

A German data retention law, which came into effect at the end of 2015, requires telecommunications companies to store telephone and internet use for 10 weeks, after which point the data must be deleted.

The German law also stipulates a shorter storage time of four weeks for location data which results from mobile phone calls. It remains to be seen what effect the ECJ ruling will have on Germany's blanket data retention measures.

Saturday, December 10, 2016

In the trove of documents provided by former National Security Agency contractor Edward Snowden is a treasure. It begins with a riddle: “What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combatting proliferation target have in common? They all used their everyday GSM phone during a flight.”

This riddle appeared in 2010 in SIDtoday, the internal newsletter of the NSA’s Signals Intelligence Directorate, or SID, and it was classified “top secret.” It announced the emergence of a new field of espionage that had not yet been explored: the interception of data from phone calls made on board civil aircraft. In a separate internal document from a year earlier, the NSA reported that 50,000 people had already used their mobile phones in flight as of December 2008, a figure that rose to 100,000 by February 2009. The NSA attributed the increase to “more planes equipped with in-flight GSM capability, less fear that a plane will crash due to making/receiving a call, not as expensive as people thought.” The sky seemed to belong to the agency.

Friday, December 09, 2016

I got a notice from Dropbox tonight that it is now certified under this program. This program is fallout from an E.U. Court of Justice decision following the Snowden disclosures, holding that the then existing U.S.-E.U. framework for ptoecting the rights of E.U. citozens' data were invalid because that framework did not adequately protect digital privacy rights. This new framework is intended to comoply with the court's decision but one need only look at section 5 of the agreement to see that it does not. Expect follow-on litigation. THe agreement is at https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg
Section 5 lets NSA continue to intercept and read data from E.U. citizens and also allows their data to be disclosed to U.S. law enforcement. And the agreement adds nothing to U.S. citizens' digital privacy rights.
In my view, this framework is a stopgap measure that will only last as long as it takes for another case to reach the Court of Justice and be ruled upon.
The ox that got gored by the Court of Justice ruling was U.S. company's ability to store E.U. citizens' data outside the E.U. and to allow internet traffic from the E.U. to pass through the U.S. Microsoft had leadership that set up new server farms in Europe under the control of a business entity beyond the jurisdiction of U.S. courts. Other I/.S. internet biggies didn't follow suit. This framework is their lifeline until the next ruling by the Court of Justice.

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination).

The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining the Privacy Shield Framework should review its requirements in their entirety. To assist in that effort, Commerce’s Privacy Shield Team has compiled resources and addressed frequently asked questions below.

Thursday, December 08, 2016

I think it plain that we need a flat ban on the same company controlling both an ISP and a content company. Comcast, the ISP/content company has proved that it's willing to misuse its ISP powers to disfavor other content companies such as Hulu and Netflix via network throttling. AT&T plus Time Warner would undoubtedly do the same. And Comcast led the charge against net neutrality, attempting to expand its revenue base from its ISP subscribers to include new charges on content providing companies. We need a clean separation between ISPs and content companies.

At a hearing on Capitol Hill on Wednesday that was being closely watched for how mega-mergers will be viewed in the coming Trump administration, members of a Senate Judiciary subcommittee that oversees regulatory agencies that decide on mergers said the deal merited tough scrutiny. The chief executives of AT&T and Time Warner were grilled at the hearing about a range of issues related to the deal.

But in a change from previous comments, lawmakers also questioned whether traditional ways of evaluating mergers are growing outdated as Silicon Valley companies like Facebook and Google become massive media platforms that threaten the television industry. Their tone was more circumspect than those that immediately followed the deal’s announcement, when lawmakers had been more critical.

Venezuelan President Nicolas Maduro confirmed Saturday that the state intelligence service SEBIN arrested several directors from the Credicard financial transaction company on Friday night.

The financial consortium is accused of having deliberately taken advantage of a series of cyber attacks on state internet provider CANTV Friday to paralyse its online payment platform–responsible for the majority of the country’s accredited financial transactions, according to its website.

“We have proof that it was a deliberate act what Credicard did yesterday. Right now the main people responsible for Credicard are under arrest,” confirmed the president.

The government says that millions of attempted purchases using in-store credit and debit card payment machines provided by the company were interrupted after its platform went down for the most part of the day. Authorities also maintain that the company waited longer than the established protocol of one hour before responding to the issues.

According to CANTV President Manuel Fernandez, Venezuela’s internet platform suffered at least three attacks from an external source on Friday, one of which was aimed at state oil company PDVSA. CANTV was notified of the attacks by international provider LANautilus, which belongs to Telecom Italia.

Nonetheless, Fernandez denied that Credicard’s platform was affected by the interferences to CANTV’s service, underscoring that other financial transaction companies that rely on the state enterprise continued to be operative.

On Friday SEBIN Director Gustavo Gonzalez Lopez also openly accused members of the rightwing coalition, the Democratic Unity Roundtable (MUD), of being implicated in the incident.

“Members of the MUD involved in the attack on electronic banking service,” he tweeted.

“The financial war continues inside and outside the country, internally they are damaging banking operability,” he added.

Venezuelan news source La Iguana has reported that the server administrator of Credicard is the company Dayco Host, which belongs to the D’Agostino family. Diana D’Angostino is married to veteran opposition politician, Henry Ramos Allup, president of the National Assembly.

On Saturday, the government-promoted Productive Economy Council held an extraordinary meeting of political and business representatives to reject the attack on the country’s financial system.